Examining SSL/TLS handshakes improves network security and optimizes legacy and Advanced URL
Filtering subscriptions. When you enable SSL/TLS handshake inspection, Advanced URL
Filtering uses data in the handshake to identify the traffic and enforce applicable
Security policy rules as early as possible.
Here’s how it works
First, the Client Hello message is scanned for the Server Name Indication (SNI)
field, a TLS protocol extension that contains the hostname of a requested website.
Then, the URL category and server destination of the traffic is determined from the
hostname. Next, traffic is enforced based on its URL category. If a threat is
detected, such as a malicious web server in the SNI field, or if a Security policy
rule blocks the website, the handshake terminates and the web session ends
immediately. If no threat is detected and the traffic is allowed per policy, the
SSL/TLS handshake is completed and application data is exchanged through the secure
URL filtering response
pages do not display for sites blocked during SSL/TLS handshake
inspections because the firewall resets the HTTPS connection. The
connection reset ends SSL/TLS handshakes and prevents user notification
by response page. The browser displays a standard connection error message
You can find details of successful SSL/TLS handshakes
and sessions in the Traffic and Decryption logs. Details of failed
sessions can be found in URL filtering logs; Decryption logs aren’t
generated for web sessions blocked during SSL/TLS handshakes.